Uncategorized —

Hacker warns of hardware vulnerabilities

In a presentation today at the Black Hat security conference, security expert Brendan O'Connor discussed a vulnerability that affects Xerox printers. In an attempt to illuminate potential problems created by security deficiencies in embedded software, O'Connor exploited the vulnerability and intercepted data from content printed with the device. O'Connor points out that users trust printers, and that a large volume of sensitive information goes through them.

Despite the fact that Xerox issued a patch to fix the WorkCenter printer bug in February, O'Connor says that the problem still hasn't been completely resolved, and the printer is still vulnerable to infiltration. Characterizing the device as "a Linux server wrapped in a copier box," the security expert warns that as embedded software becomes more complex, companies and consumers will have to take hardware security more seriously. At present, O'Connor doesn't feel that sophisticated embedded technologies are "getting the level of scrutiny that they require."

Xerox manager Armon Rahgozar, who attended the presentation, explained that Xerox is still working on fixing the problem, and plans to issue another patch. Rahgozar says that the company is also evaluating an automated update solution that will simplify distribution and installation of fixes.

Citing Cisco's lawsuit against security researcher Michael Lynn who disclosed vulnerabilities relating to a Cisco product at the 2005 Black Hat convention, O'Connor was initially concerned that the Xerox representative would not be pleased with the presentation. Such fears dissipated completely when Rahgozar expressed appreciation for O'Connor's efforts at the conclusion of the demonstration.

Vulnerability disclosure

Vulnerability disclosure has become a contentious issue in the technology industry since public knowledge of security flaws can promote attacks and lead to loss of business. In an attempt to deter disclosures, some companies retaliate with lawsuits. Supporters of vulnerability disclosure point out that the availability of such information ensures a higher level of developer accountability, increases public awareness of serious risks, and empowers users and administrators by providing them with the resources they need to help protect themselves, their networks, and their companies.

In 2001, Microsoft Security Response Center manager Scott Culp condemned vulnerability disclosure as "information anarchy" and claimed that it was harmful to the industry. The Redmond giant has wisely changed its tune, and now solicits assistance from the computer security community in order to ensure that its latest software adequately protects users. This year, Microsoft participated in the Black Hat convention and invited hackers and security experts to test their skills against Vista's security improvements. Joanna Rutkowska demonstrated a technique for circumventing Vista's driver signing mechanism, and showed how the technique could be used to infect a Vista PC with malware. A Microsoft representative described the discovered vulnerability as "legitimate" and says that the company is now investigating the problem.

The Digital Millennium Copyright Act, which (among other things) imposes restrictions on the development of software or tools designed for the purpose of circumventing access controls, also presents a significant threat to security researchers that are engaged in experimentation. Although some exceptions are made for research purposes, many security experts argue that the exceptions are far too narrow. During a 2002 presentation at MIT, former White House cybersecurity chief Richard Clarke called for DMCA reform and lamented the detrimental impact of the legislation on security research. The Institute of Electrical and Electronics Engineers has also criticized the DMCA for stifling publication of valuable research and alienating an important segment of the technology research community.

Despite the legal risks, security experts continue to share, discover, and explore security vulnerabilities for the benefit of end users. As Microsoft and Xerox have demonstrated, meaningful dialog and productive collaboration between companies and the security community can be mutually beneficial.